ci: Gitea CI/CD pipeline + server deploy (Nexus mirror, Caddy HTTPS)
- .gitea/workflows/ci-cd.yml: frontend tsc check → self-hosted deploy job that
builds the full compose stack and brings it up behind Caddy. Locks
COMPOSE_PROJECT_NAME=flatrender (stable volumes), backs up the DB before each
deploy, health-waits gateway+frontend, no `down -v`.
- Route all package installs through mirror.soroushasadi.com:
frontend Dockerfile npm registry → NPM_REGISTRY build arg (Nexus default);
3× NuGet.Config (content/identity/studio) → HTTPS nuget-group (were a bare IP).
- Harden host ports: ${HOST_BIND:-0.0.0.0} prefix on postgres/minio/render/gateway/
frontend so prod (HOST_BIND=127.0.0.1) keeps them off the public internet — only
Caddy 80/443 is public. Dev (unset → 0.0.0.0) unchanged.
- render-svc MINIO_USE_SSL now env-driven (MINIO_HOST_USE_SSL) for HTTPS storage domain.
- deploy/ENV_FILE.production.example (the Gitea secret template) + deploy/README.md
(one-time setup + go-live checklist).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
soroush.asadi
@@ -0,0 +1,73 @@
|
||||
# ─────────────────────────────────────────────────────────────────────────────
|
||||
# FlatRender — PRODUCTION ENV_FILE template
|
||||
#
|
||||
# This is the content of the Gitea repo secret named ENV_FILE.
|
||||
# Set it at: https://git.soroushasadi.com/soroushdes/flatrender/settings/secrets
|
||||
# The deploy job writes this verbatim to `.env`, which docker compose reads.
|
||||
#
|
||||
# Fill every <PLACEHOLDER>. Generate secrets with: openssl rand -hex 32
|
||||
# After editing the secret, push any commit to trigger a redeploy.
|
||||
# Changing a NEXT_PUBLIC_* value requires a redeploy (baked into the frontend at build).
|
||||
# ─────────────────────────────────────────────────────────────────────────────
|
||||
|
||||
# ── Host port binding ────────────────────────────────────────────────────────
|
||||
# 127.0.0.1 keeps Postgres/MinIO/gateway/frontend OFF the public internet — only
|
||||
# Caddy (80/443) is public. (Docker bypasses ufw, so this binding is the real guard.)
|
||||
HOST_BIND=127.0.0.1
|
||||
|
||||
# ── Domains (DNS A-records must point at this server) ────────────────────────
|
||||
DOMAIN=flatrender.example.com
|
||||
API_DOMAIN=api.flatrender.example.com
|
||||
STORAGE_DOMAIN=storage.flatrender.example.com
|
||||
ACME_EMAIL=you@example.com
|
||||
|
||||
# ── Browser-facing URLs (baked into the frontend at build time) ──────────────
|
||||
NEXT_PUBLIC_SITE_URL=https://flatrender.example.com
|
||||
NEXT_PUBLIC_API_URL=https://api.flatrender.example.com/v1
|
||||
NEXT_PUBLIC_MINIO_URL=https://storage.flatrender.example.com
|
||||
NEXT_PUBLIC_TENANT_SLUG=flatrender
|
||||
CORS_ORIGIN=https://flatrender.example.com
|
||||
|
||||
# ── Core secrets ─────────────────────────────────────────────────────────────
|
||||
JWT_SECRET=<openssl rand -hex 32>
|
||||
SERVICE_TOKEN=<openssl rand -hex 32>
|
||||
NODE_HMAC_SECRET=<openssl rand -hex 32>
|
||||
JWT_ACCESS_MINUTES=1440
|
||||
|
||||
# ── Postgres ─────────────────────────────────────────────────────────────────
|
||||
POSTGRES_USER=flatrender
|
||||
POSTGRES_PASSWORD=<openssl rand -hex 24>
|
||||
|
||||
# ── MinIO (object storage) ───────────────────────────────────────────────────
|
||||
MINIO_ACCESS_KEY=<openssl rand -hex 12>
|
||||
MINIO_SECRET_KEY=<openssl rand -hex 24>
|
||||
MINIO_BUCKET=flatrender-exports
|
||||
MINIO_TEMPLATES_BUCKET=flatrender-templates
|
||||
MINIO_UPLOAD_BUCKET=user-uploads
|
||||
# render-svc signs presigned URLs for the public storage domain (over HTTPS via Caddy):
|
||||
MINIO_HOST_ENDPOINT=storage.flatrender.example.com
|
||||
MINIO_HOST_USE_SSL=true
|
||||
|
||||
# ── Render farm ──────────────────────────────────────────────────────────────
|
||||
# No AE node on the server → keep the dev worker OFF (it would mock-complete jobs).
|
||||
# Instead disable rendering in Admin → فارم رندر → موتور رندر so users see a notice.
|
||||
RENDER_DEV_WORKER=false
|
||||
RENDER_DEV_SNAPSHOTS=false
|
||||
|
||||
# Gateway host port (bound to HOST_BIND above; public access is via API_DOMAIN/Caddy).
|
||||
GATEWAY_PORT=8080
|
||||
|
||||
# ── Payments (fill the providers you actually use; leave others blank) ───────
|
||||
STRIPE_SECRET_KEY=
|
||||
STRIPE_WEBHOOK_SECRET=
|
||||
STRIPE_PUBLISHABLE_KEY=
|
||||
ZARINPAL_MERCHANT_ID=
|
||||
ZARINPAL_CALLBACK_URL=https://api.flatrender.example.com/v1/payments/callback/zarinpal
|
||||
ZARINPAL_SANDBOX=false
|
||||
SNAPPAY_CLIENT_ID=
|
||||
SNAPPAY_CLIENT_SECRET=
|
||||
SNAPPAY_BASE_URL=https://api.snappay.ir
|
||||
SNAPPAY_CALLBACK_URL=https://api.flatrender.example.com/v1/payments/callback/snappay
|
||||
TARA_API_KEY=
|
||||
TARA_BASE_URL=https://api.tara.ir
|
||||
TARA_CALLBACK_URL=https://api.flatrender.example.com/v1/payments/callback/tara
|
||||
Reference in New Issue
Block a user